A preliminary fact-finding report into the cyberattack that has crippled services at the All India Institute of Medical Sciences (AIIMS) in Delhi found a host of cybersecurity lapses, people who reviewed the assessment said that the administration has been told of how these problems led to hackers causing havoc through the network.
AIIMS, widely regarded as India’s foremost government hospital, was hit by a ransomware attack on November 23, when staff was first unable to access the mainstay hospital management tool, eHospital. Between then and Monday night, the hospital shifted its processes offline, with the first resumptions in any digital processing happening only on Tuesday with a small number of registrations for one of the departments.
The report, according to one of the officials who saw it, found that the firewall deployed to protect the AIIMS network was not configured properly and there were no safeguards at various intermediary points, which are called switches. “In the network, most of the switches were unmanaged,” the person quoted the report as concluding.
An unmanaged switch has no security features, while a managed switch could have potentially stopped the ransomware infection from spreading. Similarly, firewall policies are meant to define what sort of traffic to allow or stop, which could have restricted the hacker’s ability to breach the network.
“The hospital administration was informed that its cyber security was not ‘up-to-the-mark’, which made it easy for hackers to corrupt the servers and also breach backup data,” a senior official from AIIMS, who did not want to be named, said. The report also mentions several other findings. For instance, the last successful login into eHospital was at 49 seconds past 7.07am, suggesting this was when the last of the servers were infected.
The same day, AIIMS authorities filed a complaint regarding the cyberattack at the cyber police station of south district. A first information report (FIR) under sections 66 (computer related offence) and 66F (punishment for cyber terrorism) of the Information Technology (IT) Act and the Indian Penal Code’s section 385 (extortion) was registered. The case was transferred to the Intelligence Fusion and Strategic Operations (IFSO), the specialised unit of the Delhi Police to deal with cybercrime.
There were also clues that data was sent to an IP address that was located to Hong Kong, the report found. To be sure, hackers often use virtual private networks (VPNs) to route their link over multiple locations to avoid giving away their real location.
Experts from India’s Computer Emergency Response Team (Cert-IN) examined the affected servers and on November 24 and found that that four servers – two application servers, one database server and one back-up server – were infected, leading to multiple databases being encrypted, said an officer associated with the probe, who asked not to be named.
A police officer associated with the case said that all infected servers were disconnected by the National Informatics Centre (NIC) team, which manages the eHospital system, to avoid contamination to other servers. “All files and data in the infected servers displayed a message which included – ‘free decryption as a guarantee. You can send us up to 3 free decrypted files before payment’,” the officer said.
The officer confirmed that the hackers sought a “payment” to unlock the affected files but did not specify the extortion amount. Reports said, the demand was for 30 bitcoin (roughly ₹4.2 crore.
“The two email addresses in question have been flagged to ProtonMail through Cert-IN and the Interpol, the nodal agency of which in India is the CBI, for seeking details of the user or users. The logs of the firewalls were also collected for analysis. The imaging of all infected systems and their hashing were done through experts of Delhi’s Forensic Science Laboratory (FSL) to maintain the evidential integrity and chain of custody. The seized image copies of the infected servers, RAM dumps, and logs were deposited at the NFSU, Gujarat on November 28 for analysis and expert opinion,” added a second officer, who asked not to be named.